|
| 1 | +--- |
| 2 | +title: "Route Policies in Azure's Operator Nexus Managed Network Fabric" |
| 3 | +description: Introduction to Route Policies in Azure Operator Nexus. |
| 4 | +author: joemarshallmsft |
| 5 | +ms.author: joemarshall |
| 6 | +ms.service: azure-operator-nexus |
| 7 | +ms.topic: conceptual |
| 8 | +ms.date: 02/12/2024 |
| 9 | +ms.custom: template-concept |
| 10 | +--- |
| 11 | + |
| 12 | +# Route Policies in Azure's Operator Nexus Managed Network Fabric |
| 13 | + |
| 14 | +**Route policies** enable operators to control routes learnt and distributed through **Border Gateway Protocol** (BGP). BGP is a routing protocol that exchanges routing information between autonomous systems (AS) on the Internet. BGP uses attributes such as community values and extended community values to tag and filter routes. Route policies can be used to manipulate these attributes and influence the routing behavior. |
| 15 | + |
| 16 | +Route policies are a set of rules that are applied to routes based on their specific attributes. These attributes include IP prefixes, community values, and extended community values. The primary function of these policies is to allow or deny routes and to modify their attributes as needed. |
| 17 | + |
| 18 | +Route policies can be enforced at different endpoints in the network fabric. They can be applied at network-to-network interconnections (NNI) or at different levels in a layer 3 isolation domain, such as external networks, internal networks, and connected subnets. Route policies are applied in the direction of egress or ingress, depending on whether they're export or import policies. Route policies for IPv4 and IPv6 are enforced separately. |
| 19 | + |
| 20 | +Route policies can be specified with combinations of conditions and actions. Conditions are based on IP prefixes, IP communities, and IP extended communities. Actions are based on discarding or permitting routes, and adding, removing, or overwriting community values and extended community values. |
| 21 | + |
| 22 | +Route policies are modeled as Azure Resource Manager (ARM) resources under Microsoft.managednetworkfabric. They can be created, read, and deleted by operators. The operator creates a route policy resource and then applies it at the required enforcement point. A route policy can only be applied at one enforcement point at a time. |
| 23 | + |
| 24 | +## Objective |
| 25 | + |
| 26 | +Route policies are a key component of network management, as they offer control, flexibility, customization, and scalability over route distribution and modification. |
| 27 | + |
| 28 | +Route policies allow operators to control the distribution of routes based on various criteria such as security, performance, or cost. For example, they can prevent routes from an internal network reaching the external networks of a Layer 3 isolation domain, thus enhancing security and performance, and controlling traffic flow. |
| 29 | + |
| 30 | +Route policies also allow operators to modify the attributes of routes based on Border Gateway Protocol (BGP). By modifying the BGP attributes, operators can influence the path selection process in BGP and guide traffic along optimal paths. |
| 31 | + |
| 32 | +Route policies offer a high degree of flexibility and customization, enabling operators to define their own conditions and actions. This enables operators to implement complex logic or custom scenarios that aren't supported by the default routing behavior in the Network Fabric. |
| 33 | + |
| 34 | +Route policies simplify the management of large-scale networks, as they automate the process of managing routes. For example, operators can use route policies to apply consistent and uniform rules across multiple endpoints of a layer 3 isolation domain, or to update route policies in bulk using ARM templates. |
| 35 | + |
| 36 | +## Specifying the Conditions and Actions of a Route Policy |
| 37 | + |
| 38 | +The conditions and actions of a route policy are specified using the IP Prefix, IP Community, and IP Extended Community resources. These resources, modeled as ARM template resources under Microsoft.managednetworkfabric, define the match criteria and the actions for the route policy based on the IP prefix, the IP community, or the IP extended community of the routes. |
| 39 | + |
| 40 | +### IP Prefix Resource |
| 41 | + |
| 42 | +This resource specifies the match conditions for route policies based on the IP prefix (IPv4 or IPv6) of the routes. It contains a list of prefixes with sequence numbers and actions (permit or deny). |
| 43 | + |
| 44 | +### IP Community Resource |
| 45 | + |
| 46 | +This resource specifies the match conditions and actions for route policies based on the community values tagged to the routes. It contains well-known communities or custom community members. |
| 47 | + |
| 48 | +### IP Extended Community Resource |
| 49 | + |
| 50 | +This resource specifies the match conditions and actions for route policies based on the route targets. It contains a list of extended community values and specific properties. |
| 51 | + |
| 52 | +### Condition Property |
| 53 | + |
| 54 | +The condition property of a Route Policy statement defines how routes are matched to the policy: |
| 55 | + |
| 56 | +- **And**: The policy matches any route that matches **all** of the specified ipPrefixIds, ipCommunityIds, and ipExtendedCommunityIds. |
| 57 | + |
| 58 | +- **Or**: The policy matches any route that matches **any** of the ipPrefixIds, ipCommunityIds, and ipExtendedCommunityIds. |
| 59 | + |
| 60 | +The ipPrefixId, ipCommunityId, and ipExtendedCommunityId properties are arrays of strings that reference the IP Prefix, IP Community, and IP Extended Community resources that define the match criteria for the route attributes. |
| 61 | + |
| 62 | +### Action Property |
| 63 | + |
| 64 | +The action property of a Route Policy statement defines the action to be taken when a route matches the policy: |
| 65 | + |
| 66 | +- **Permit**: Permit the matching route and apply the ipCommunityProperties to the route. |
| 67 | + |
| 68 | +- **Deny**: Deny the matching route and stop the evaluation of the route policy. |
| 69 | + |
| 70 | +- **Continue**: Apply the ipCommunityProperties to the route, and continue evaluating the route policy with the next statement. |
| 71 | + |
| 72 | +### ipCommunityProperties Property |
| 73 | + |
| 74 | +The ipCommunityProperties property specifies how the policy affects the community values and extended community values of the route. |
| 75 | + |
| 76 | +It has a set property and a delete property. The set property specifies the IP Community and IP Extended Community resources to add or overwrite to the routes. The delete property specifies the IP Community and IP Extended Community resources to remove from the routes. |
| 77 | + |
0 commit comments